University of Utah pays $457k to ransomware gang

This shows how bug bounties are pitifully small and inadequate. Stop thinking that a $10k reward will prevent hackers. Either pay-up for sec experts or be prepared to pay-up through extortion or having your site exploited, and it will cost way more than 10k.

I have to say I think ransomware is one of the most interesting &quot;business&quot; practices. The trustworthiness of the criminals is huge because if they have a track record of providing the decryption key, you may as well pay.<p>In a logical extreme you could start adding features like &quot;Give us the info of people you know and for every one we successfully extract a ransom from we&#x27;ll give you 10% off your ransom.&quot;<p>It&#x27;s interesting to think about at least.

You really can&#x27;t blame them much, they had backups. University doesn&#x27;t work like corporate, you have thousands of student who change every year, do their projects for which they require lot of access; you can&#x27;t lock everything dangerous, can&#x27;t have any sensible BYOD policy, ... It&#x27;s really hard to lock up everything while not limiting students too much. With organization like this, that sort of incidents is unfortunate but inevitable.

What if it were a federal criminal offense to pay ransom? With long prison sentences for any individual convicted of participating in or having knowledge of a payoff? And the government was serious about tracking down and prosecuting anyone who did so? Nobody would pay ransom, and, at least in countries with such a law, these extortion gangs would stop bothering.

&gt; &quot;The university&#x27;s cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom&quot;<p>I was looking to dunk on them but it seems that what they did wasn’t entirely unreasonable. The article further states that they paid to protect student data.

Out of curiosity, are these hackers still demanding ransom money in Bitcoin, or say any traceable cryptocurrency?<p>I remember encountering similar scenarios before and they all seem to want the money in a Bitcoin address.<p>Why not Monero, or an alternative if there is any, which I guess makes moving the funds around much more stealthily? Please correct me if I&#x27;m wrong.

Interesting discussions here about the actual costs and value of finding the bugs that enable these problems. There&#x27;s basically very little cost to the companies in most cases that have vulnerabilities.<p>It&#x27;s absolutely crucial, in my opinion, that we pass laws making paying off criminals illegal.<p>There are arguments here that paying off via insurance or other &#x27;secondary means&#x27; are somehow shielding the institutions. It&#x27;s morally wrong, and I suspect in reality it&#x27;s technically wrong to make these payments. It&#x27;s just wrong. There is the problem that at least some of these ransomware groups are in countries like Russia that don&#x27;t care to really prosecute them. We need to stop this, make it clear it&#x27;s not acceptable, fight with our usual means against money laundering. Pretty much every company company in the western world is vulnerable to these problems, every public school, and behind the scenes lots of people are vulnerable.

When you pay ransom for physical possession you get your possession back.<p>When you pay ransom for lost data you get a copy of your data back. The culprits still have the data, but they likely don&#x27;t have a use for that data.<p>But this is the worst kind of ransom.<p>You already have the data, you&#x27;re paying ransom to make sure the culprits don&#x27;t use the data, but the culprits still are in possession of the data and they can use the data next year, or two years later, or demand more payment next year.<p>What in the world?

Devil&#x27;s advocate: ransomware is good. The financial incentives around it directly encourage this variety of hacking. It&#x27;s an involuntary &quot;bug bounty&quot;. And IT security becomes something more than a &quot;nice to have&quot; for these institutions, which it never would have before.<p>$450k? Universities know all about paying to learn. That&#x27;s cheap, and they won&#x27;t make the same mistakes again.

Just think, they could have paid two engineers to fortify their systems against such an attack and still saved lots of money.

Can one detect a ransomware infection early by watching copy-on-write snapshots on a file server?

&gt; &quot;The university&#x27;s cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom,&quot; University of Utah officials added.<p>Can anybody elaborate more on this ? What are the other resources than tution&#x2F;grant&#x2F;donation&#x2F;state&#x2F;fund to earn money ?

At this point the government agency should perform some of those attacks, extort the money, make it public and then delete the data so the victim is out of data and the money.<p>Paying ransoms is terrible for the world. We will have more attacks on more targets. There needs to be heavy incentive to not pay.

There is no way those 450k are not being traced right now like a hell, most likely it was allowed just because investigation said so, its matter of time now

They had backups: good for them.<p>But they also had unencrypted, sensitive information sitting on their networks.

The data was leaked. They didn&#x27;t &quot;pay ransom to stop leaks&quot;.

It&#x27;s good to be aware that this entire thing wouldn&#x27;t have been possible without Bitcoin.